SAMURAI. Useful enough to stop all drivers?

Anyone with some past experience with the app Samuari, do you find the "prevent rootkits from installing" feature something of the past with little or no use or can anyone verify or confirm that by applying this one particual feature, can you confirm with some certainty that it still is in it's lack of long overdue updating still prove useful enough to depend on as an additional hardening application that prevents ANY drivers installs AFTER it's been applied to a system setup?

This is some interest because in my testing this one aspect of the other many of features that it offers seems to prevent even IceSword/Rku, and other apps flat out denying them to activate/load those analysis apps drivers in effect rendering them disable.

Just wondering if it's that strong and and could also defend attempts at rootkit intallations.

I tested it on XP SP2, and it worked fine. I have not tested it under SP3 lately, but you are still running SP1 don't you. In that case it does not matter (f.i. WinPooch does not work 100% under XP3).

Regards Kees

Click to expand...

Most my units i have turned to SP2 now with few exceptions of other HD's.

tlu said:

EASTER,

I thought you were using LUA/SRP (which alone reliably prevent the installation of any rootkit/driver) plus EQS and/or SSM? Why bother about Samurai at all

Click to expand...

Why not both? Or would that be considered redundant in a SuRun LUA setup?

Meriadoc said:

Your observations are corrrect EASTER post 9 on

Click to expand...

Thanks for the reassuring confirmation, i thought as much from my testings but wanted to sure others experienced similar protection with use of it.

Thanks Longboard for the links and boy i would love for it to be updated again myself seeing as according to Gladiator Forums that was 2007.

It would be so fantastic for super hardening and to put the proverbial icing on the cake wouldn't it be a treat if he could somehow add a way to protect the MBR/Partition Table from the likes of (Ugh) KillDisk and other destructive system disruptors.

with LUA+SRP onboard ( i have tlu to thatnk for that) the only thing u need is file control , in case something tries to fool SRP and maybe registry guard for the 7 open entries that LUA lets open and like in my case you do not wanna use kafu (gave me BSOD)

with LUA+SRP onboard ( i have tlu to thatnk for that) the only thing u need is file control , in case something tries to fool SRP and maybe registry guard for the 7 open entries that LUA lets open and like in my case you do not wanna use kafu (gave me BSOD)

Click to expand...

A BSOD Shouldn't happen. Did you execute kafu with Surun in your limited account? Was there possibly a conflict with a HIPS?

Well it's no means down to a science, but there definitely is some very useful scientific programming that goes into some of these hardening apps. Still haven't found a way around when using the "prevent rootkits from installing" (provided they are driver related?) in Samurai to free up both the USB Ports and other Devices mentioned earlier. That would be a plus because as-is you need to completely uninstall Samurai to free those USB Ports, and besides there is a simple little batch file that can on-the-fly LOCK a system's USB Ports that simply disables USBstor in the good ole registry.

This is just another technique. Of course LUA w/SRP and/or SuRun can offer (i think) somewhat similar protection, it's just that Samurai get's into the Ring0 hooking biz to block driver installations as evidenced by trying to run IceSword and some other deep analysis apps while it's engaged.

A BSOD Shouldn't happen. Did you execute kafu with Surun in your limited account? Was there possibly a conflict with a HIPS?

Click to expand...

well i ran it with the limited acc but with run as admin from the context as any software that needs to write something (e.g install) well my HIPS still seems to allow any action so thats definately not the prob...will try in vm soon.

well i ran it with the limited acc but with run as admin from the context as any software that needs to write something (e.g install)

Click to expand...

Ah, no - you must execute it in your limited account with SuRun and NOT with the built-in run as admin function since that would mean that you apply kafu to the autostarts of your admin account - but you want to apply it to the autostarts of your limited account!

On the other hand, even apllaying it with run as admin shouldn't cause a BSOD ...

well my HIPS still seems to allow any action so thats definately not the prob...will try in vm soon.

Click to expand...

Okay, but that wouldn't be the first example of a HIPS blocking something without giving a warning.

Check your magic box for an answer about Samurai rootkit stopping abilities
Do not share seppuku.exe with others =)

PoC for winxp only, password included.

Regards.

Click to expand...

Excellent choice of words in code.

Thanks and i'll give that round with it and see how disappointed i can become. Question however, this obviously has to be a targetted PoC or are you at liberty to expand on it per say hooking offered by various HIPS? If that is indeed so soft within the SSDT Table, (Unhookers come to mind), and mind you Samurai desparately "NEEDS" updating greatly IMO with some self-protection, then it would leave no other alternative then either HIPS or the likes of Faronic's AE to stall off an executable's attempt to proceed.

This is samurai 2.7 oriented proof of concept. It can be used against SSM v2.3 also. Everything else will (but are not obliged) prevent this. Regarding to samurai it can be simple removed by any sophisticated malware even w/o loading drivers.

Regarding to rku3.7 it can be loaded even with samurai protection against rootkits. To do this, start rku from command line with option -console
e.g.
cmd.exe
c:\rku3.7.exe -console
type forcesafemode [enter]
reboot, samurai will be out of business.

This is samurai 2.7 oriented proof of concept. It can be used against SSM v2.3 also. Everything else will (but are not obliged) prevent this. Regarding to samurai it can be simple removed by any sophisticated malware even w/o loading drivers.

Regarding to rku3.7 it can be loaded even with samurai protection against rootkits. To do this, start rku from command line with option -console
e.g.
cmd.exe
c:\rku3.7.exe -console
type forcesafemode [enter]
reboot, samurai will be out of business.

Click to expand...

OK Thanks Laerua

That's was my first thought, and another reason these apps such as Samurai bounce on the scene only to seem like a flash-in-the-pan and quit updating unfortunately.

So Samurai in it's current and nearly obsolete version 2.7 is not of much use unfortunately as previously hoped.

I know for a fact that there are some clever programmers who could fill these gaps with designs of their own but my guess they prefer to sell their source to the big boys to impliment into larger commercial interests.

I tested SAMURAI with VirusTotal, 5 scanners considered SAMURAI as infected, I hope they are all false positives ?

Click to expand...

It's hardly malware, but then it's not bad at disengaging drivers loading to the SDDT Table and thus getting a hold on your system in the process for whatever reason designed. This hooking thing is driving me plum bananas, i know for a fact XP Systems could be hardened in this particular area without causing problems, thats the underlying basis for HIPS like SSM, where in their case they hook nearly the entire table.

I'm on a quest that may never be realized, but i'm convinced it can be done in similar manners as HIPS use to hook the table. The key to it is designing the best way to keep their drivers seated without being displaced by an unhooker.

In the meantime, it boils right back down to frontal defenses against executables like AE offers and ScriptDefender as well as the sandboxes, virtual systems, and in some case ISR's. I'm looking for bare bones, simple hardening of potential areas of interest by malicious intruder files be they virus or trojans or both, including MBR disrupters.

This revolving door of turning to this app then that app in a never ending circle to see which app offers the most authority is bordering on repetition that repeats itself over and over again. At this rate no one will ever be able to fully enjoy their computer investment if we must constantly be running to different apps all the time to avoid the contamination of the possibility of becoming infected by the latest and greatest threats.